1-3. (Cancelled) 



IN THE CLAIMS 



4. (Previously presented) A method comprising: 

receiving node information for a node coupled to a computer network; 

analyzing the received node information to identify a unique identifier; 

selecting at least a security identified provided by an operating system of the node for 
the unique identifier when the analysis indicates that the node information includes the 
security identifier; 

selecting at least a serial number provided by a basic input output system of the node 
for the unique identifier when the analysis indicates that the node information does not 
include the security identifier; 

selecting at least a physical address for the unique identifier when the analysis 
indicates that the node information does not include either of the security identifier and the 
serial number; 

determining whether to issue an alarm indicating a network intrusion responsive to 
receiving the node information by comparing the unique identifier to a database; 

automatically linking at least a portion of said node information to an existing 
database entry in the database and not issuing the alarm when the comparison indicates a 
tracked entity that corresponds to the node; and 

issuing the alarm indicating the network intrusion and creating a new database entry 
when the comparison indicates that the node is a new entity. 

5. (Previously presented) The method of claim 4, wherein the unique identifier is 
not based solely on an Internet Protocol (IP) address such that the determination of whether 
the alarm is sent is independent of whether the node is subject to static or dynamic address 
assignment. 

6. (Previously presented) The method of claim 5, wherein the unique identifier is 
a combination of the physical address and a network address for the node. 

7. (Previously presented) The method of claim 4, wherein the unique identifier 
includes a domain name associated with the node, a computer name associated with the node 
and one other value associated with the node. 
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8. (Previously presented) The method of claim 7, wherein the other value is a 
security identifier, a serial number or the physical address. 

9. (Previously presented) A method comprising: 

receiving node information for a node coupled to a computer network; 

selecting from the received node information a security identifier for use in a unique 
identifier when the security identifier is available, and when the security identifier is not 
available, selecting a substitute value for use in the unique identifier, the substitute value 
being at least one value selected from the group of a serial number, a physical address and 
another statically assigned value; 

determining whether to issue an alarm indicating a network intrusion responsive to 
receiving the node information by comparing the unique identifier to a database; 

automatically linking at least a portion of said node information to an existing 
database entry in the database and not issuing the alarm when the comparison indicates a 
tracked entity that corresponds to the node; and 

issuing the alarm indicating the network intrusion and creating a new database entry 
when the comparison indicates that the node is a new entity. 

1 0. (Previously presented) The method of claim 9, wherein the unique identifier is 
a combination of the physical address and a network address for the node. 

1 1 . (Previously presented) The method of claim 9, wherein said tracked entity is a 
user of said computer network. 

12. (Previously presented) The method of claim 9, wherein said tracked entity is a 
computer system. 

13. (Currently amended) An apparatus comprising: 
one or more processors; and 

a memory coupled to the processors comprising instructions executable by the 
processors, the processors operable when executing the instructions to: 

receive node information for a node coupled to a computer network; 
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select from the received node information a security identifier for use in a unique 
identifier when the security identifier is available, and when the security identifier is not 
available, select a substitute value for use in the unique identifier, the substitute value being 
at least one value selected from the group of a serial number, a physical address and another 
statically assigned value; 

determine whether to issue an alarm indicating a network intrusion responsive to 
receiving the node information by comparing the unique identifier to a database; 

automatically link at least a portion of said node information to an existing database 
entry in the database and not issuing the alarm if the comparison indicates a tracked entity 
that corresponds to the node; and 

issue the alarm indicating the network intrusion and create a new database entry if the 
comparison indicates that the node is a new entity- 
analyze identifier s included in th e rec e iv e d node information to s e l e ct a value for 
comparing to a database that lists tracked entities; 

determining whether th e node corr e sponds to one of the tracked entities by comparing 
the selected value to the database; 

when the nod e corresponds to on e of the track e d entities, linking at least a portion of 
the roooived node information to an existing e ntry in th e database; and 

when the node does not corr e spond to on e of th e tracked entities, adding an ontry -fe^a 
new entity to the database and linking th e nod e information to the new entry. 

14. (Currently amended) The apparatus of claim 13 wherein the unique identifier 
selected valu e is not based solely on an Internet Protocol (IP) address such that the node can 
be correlated to one of the tracked entities even when the node is subject to dynamic IP 
address assignment. 

15. (Cancelled) 

16. (Currently amended) The apparatus of claim 13 wherein the substitute 
se l e cte d value is based on the [[a]] physical address for the node when the [[a]] serial number 
is unavailable. 
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1 7 . (Currently amended) The apparatus of claim 1 3 wherein the substitute 
selected value is based on the [[a]] physical address for the node when a different preferred 
identifier is unavailable. 

18. (Currently amended) The apparatus of claim 1 3 wherein the substitute 
se l e ct e d value is based on both the [[a]] physical address and a network address for the node 
when a different preferred identifier is unavailable. 



19. (Currently amended) The apparatus of claim 13 wherein the unique identifier 
sel e ct e d valu e is a combination of a [[the]] network address for the node and a globally 
unique identifier. 

20. (Currently amended) The apparatus of claim 13 wherein the unique identifier 
select e d value is not based solely on an IPv4 address such that the node can be correlated to 
one of the tracked entities even when the node is subject to dynamic IPv4 address 
assignment. 

21 . (Currently amended) The apparatus of claim 13 wherein the processors are 
further operable to: 

select either a security identifier provided by an operating system of the node erst 
serial numb e r provided by a basic input output system of the node for th e valu e if wh e n the 
received node information includes either the operating system provided security identifier er 
th e serial numb e r ; and 

select the substitute value if a physical address for the value wh e n the received node 
information does not include either the operating system provided security identifier er-the 

22. (Cancelled) 

23 . (Previously presented) The apparatus of claim 1 3 wherein issuance of a false 
alarm is avoided when the received node information is linked to an existing entry in the 
database. 
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24. (Currently amended) The apparatus of claim 13 wherein the processors are 
further operable to use adaptive scanning before determining whether to issue the [[an]] 
alarm. 

25. (Currently amended) A system, comprising: 

means for receiving node information related to a node on said computer network; 

means for selecting from the received node information a security identifier for use in 
a unique identifier when the security identifier is available, and if the security identifier is not 
available, selecting a substitute value for use in the unique identifier, the substitute value 
being at least one value selected from the group of a serial number, a physical address and 
another statically assigned value; 

means for determining whether to issue an alarm indicating a network intrusion 
responsive to receiving the node information by comparing the unique identifier to a 
database; 

means for linking at least a portion of said node information to an existing database 

entry in the database and not issuing the alarm if the comparison indicates a tracked entity 

that corresponds to the node; and 

means for issuing the alarm indicating the network intrusion and creating a new 

database entry if the comparison indicates that the node is a new entity- 
means for analyzing the rocoivod node information to located a unique identifier that 

is abl e to uniquely identify an entity associated with th e node, the unique identifier being a 

value other than a network address for the nod e ; 

m e ans for det e rmining if a database e ntry exists by s e arching gaid database - using 

multiple identifiers from said nod e information that ar e not able to individually uniqu e ly 

identify said entity, if said nod e information do e s not includ e said uniqu e identifier; 

m eans for linking at least a portion of said node information to said e ntry if said entry 

exists; and 

means for creating a now e ntry in said databas e for said entity if no entry exists for 
s aid entity, and linking at l e ast the portion of said nod e information to sai d n e w -entfyr 

26. (Cancelled) 

27. (Currently amended) The system of claim 26, wherein sai d unique identifier 
is based on mult i ple identifiers further comprise a computer name. 
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28. (Currently amended) The system of Claim 27, wherein said unique identifier 
is based on Bari^e4 dentifiers furth e r compris e a domain name. 

29. (Currently amended) The system of Claim 28, wherein sai d unique identifier 
is based on multiple id e ntifi e rs further compris e an operating system identifier. 

30. (Cancelled) 

31. (Cancelled) 

32. (Currently amended) The system of Claim 25, wherein said unique identifi er 
comprises a serial number is associated with a Basic Input Output System for the node . 

33. (Previously presented) The system of claim 25, further comprising: 

means for returning an identifier for an entity in response to a request including a node 
identifier. 

34. (Previously presented) The system of Claim 25, further comprising: 
means for returning identifiers for all nodes associated with an entity in response to a 

request including an entity identifier. 

35. (Previously presented) The system of Claim 25, further comprising: 
means for returning node information in response to a request for said node 

information including a node identifier. 

36-45. (cancelled) 
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